Adobe Delays Patch Release for PDF Vulnerability


Adobe this week acknowledged that a new PDF zero-day vulnerability is causing computers running its Reader and Acrobat applications to shut down and potentially be usurped by hackers.

But the software developer won't be offering the appropriate patches until Jan. 12.

In an advisory posted Tuesday on its Web site, Adobe officials said they're aware that this "vulnerability is being actively exploited in the wild."

Adobe (NASDAQ: ADBE) is recommending that customers use the JavaScript Blacklist Framework functionality, which is detailed in the advisory, or that they simply disable JavaScript in versions of both applications to "mitigate" the vulnerability until it releases the fixes during its regularly scheduled quarterly security update on Jan. 12.

The reason for the delay?

According to another blog entry posted Wednesday, Adobe's security team would have needed between two and three weeks to deliver a comprehensive series of patches. The time programmers spent addressing the malicious PDF code would have meant delaying the release of the regular quarterly update for other security and performance issues.

Company officials said Adobe Reader 9.2 and earlier versions for Windows, Macintosh and UNIX and Adobe Acrobat 9.2 and earlier versions for Windows and Macintosh are the affected applications.

"Adobe actively shares information about this and other vulnerabilities with partners in the security community to enable them to quickly develop detection and quarantine methods to protect users until a patch is available," the company said in its advisory. "Adobe recommends that you keep your anti-malware software and definitions up-to-date and monitor releases from your vendor about this issue."

According to security software experts, the popularity of Adobe's publishing and editing applications makes them especially appealing to hackers and phishers looking to install and distribute malware. Because Reader and Acrobat are so common and widely used, most people don't give a second thought to clicking on attachments created with the familiar applications.

Adobe has wrestled with this PDF zero-day vulnerability before and issued a flurry of patches in October to safeguard its applications from a variety of security holes.

The latest round of patches addressed multiple memory and heap buffer overflow conditions that led to arbitrary code execution. Also, at least six patches were proffered to deal with input validation flaws.

"Adobe categorizes this as a critical issue and recommends that users follow the mitigation guidance [provided] until a patch is available," the advisory said.

Larry Barrett is a senior editor at Based in Las Vegas, Larry covers IT management, enterprise software, services and security.